Hi,
We have around 15 different applications for which we are going to use HEC to collect data. There are two heavy forwarders on which HEC will be configured and manage by a deployment server.
1) Should i use different token for each application or Single token for sending data ?
2) How do i configure HA between the two heavy forwarders. If one heavy forwarder goes 2nd heavy forwarder will send the data ?
Regards
Hi,
HI,
I am not quite sure about Nr1. I saw environments where they used a new token for each HEC connection. This might be more secure (?) or just neccesarry.
to Nr2. there is no real HA for HF, you could set up your Universal Forwardes to send to both HF. UF would load balacing to the two HF than., but for your case, with HEC this is not an option.
Hi,
Thanks for the response.
For the 2nd point, we are not using UF. Instead it is Serilog which uses a script to send data to splunk.
Do we use a load balancer to distribute the load or modify the script to send the data to both the servers?